Hacker Issues Twitter Security Fail Warning to Trump

A hacker claims to have identified the password-reset email addresses associated with President Trump's Twitter account.

The first signs of a presidential transition to stronger cybersecurity aren't great. A hacker claims he figured out email addresses likely associated with President Donald Trump, his wife, the vice president and a top adviser.

The findings come entirely from open-source research, a bit of guessing and the apparent overlooking of a critical security feature in Twitter, according to a series of tweets from the hacker as well as via CNN, which corresponded with him.

"Trump's heavy use of Twitter to promote his thoughts and agenda means that an account takeover could have immediate and dangerous national security repercussions."

WauchulaGhost has garnered media coverage in the past for his takeover of ISIS-related Twitter accounts. A short time after his first Jan. 20 tweet, WauchulaGhost posted a screenshot of Trump's account in which Twitter displayed redacted bits of Trump's phone number and two email addresses.

Twitter: Real-Time and Dangerous

Trump has relied heavily on Twitter to promote his thoughts and agenda. It has proven to be a sharp spear that generates constant media coverage without the burden of answering direct questions. On the campaign trail, he mercilessly used Twitter to skewer opponents.

Trump's heavy use of Twitter to promote his thoughts and agenda means that an account takeover could have immediate and dangerous national security repercussions.

Former President Ronald Reagan famously triggered a crisis after he joked near a microphone prior to a speech that bombing of the Soviet Union would begin in five minutes. Although his statement was not broadcast live and the incident only became public the next day, it nonetheless provoked outrage from the Soviet Union.

Dangers of Redaction

The issue highlighted by WauchulaGhost involves Twitter's password-reset feature for accounts. Password resets remain a vexing issue for service providers, who don't want to make the process too onerous, to prevent people from abandoning their accounts. But it's hard to keep such resets secure.

In Twitter's case, if someone hits the password-reset button, by default it returns a sample of redacted personal information, such as an email address or a phone number.

Although most details will be obscured by X's, a few characters and numbers remain, which are a loose thread.

WauchulaGhost pulled the thread on Trump's POTUS account. He posted a screenshot showing the last two digits of the phone number he supplied to Twitter plus redacted versions of two email addresses.

But email addresses, often created in haste, are not hard to guess.

Indeed, WauchulaGhost ran the same experiment for the accounts of Vice President Mike Pence, Trump's wife, Melania, and Dan Scavino Jr., who is Trump's director of social media. According to CNN, WauchulaGhost thinks he identified the corresponding email addresses for those accounts, although it's not clear if the email addresses he guessed are accurate.

Door to Spear Phishing Opens

The threat is that anyone who can identify the email address tied to a Twitter account could then launch cyberattacks, ranging from phishing to social engineering. Crafting an email that looks like it comes from a known contact - but which contains a malicious link or a malware-laced attachment - could also be used to fully compromise a victim's system.

That is essentially the fate that befell the Democratic Party, which the U.S. intelligence community said was targeted by Russian hackers. Security companies believe the hackers used bogus login pages to trick victims into sharing their log-in credentials, which eventually gave attackers access to the network of the Democratic National Committee, among others.

One Essential Twitter Security Setting

But there's an easy defense to the vulnerability identified by WauchulaGhost: Twitter has a setting that requires an account holder to enter his or her own personal information in order to trigger a password reset. If enabled, Twitter does not display any redacted information.

Thankfully, this potential vulnerability doesn't appear to have been exploited. After CNN's story ran, WauchulaGhost tweeted, "Moral of the story is, the President should have better security. Maybe they will fix it now."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.